CVE-2026-23748

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23748

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23748.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-23748

Published

2026-02-26T18:23:06.550Z

Modified

2026-03-01T02:23:15.636928Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When processing a string payload, a payloadsize value less than 2 can cause a sizet underflow when computing the number of bytes to copy (nbytes). The subsequent memcpy() reads past the end of the network buffer, which can crash the device. The condition is reachable from onpayload, and goliothpayloadisnull() does not block payload_size==1. A malicious server or MITM can trigger a denial of service.

References

Affected packages

Git / github.com/golioth/golioth-firmware-sdk

Affected ranges

Type: GIT
Repo: https://github.com/golioth/golioth-firmware-sdk
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d7f55b380d8be8b29bd101ce06e421af2e88c12b

Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f15281671a9dd5c14a5215021f4469a8e3071b37

Affected versions

v0.*

v0.1.0

v0.10.0

v0.11.0

v0.11.1

v0.12.0

v0.12.1

v0.12.2

v0.13.0

v0.13.1

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.18.1

v0.19.0

v0.19.1

v0.20.0

v0.21.0

v0.21.1

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23748.json"

vanir_signatures

[
    {
        "digest": {
            "line_hashes": [
                "270491787148285070387330187905151400246",
                "195132740043648741634691365970305938567",
                "265329507019446736592808368929759304553"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2026-23748-b1e850b9",
        "source": "https://github.com/golioth/golioth-firmware-sdk/commit/d7f55b380d8be8b29bd101ce06e421af2e88c12b",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "src/lightdb_state.c"
        },
        "signature_type": "Line"
    },
    {
        "digest": {
            "length": 1186.0,
            "function_hash": "304645336577916009732044048905621108770"
        },
        "id": "CVE-2026-23748-fa2daa08",
        "source": "https://github.com/golioth/golioth-firmware-sdk/commit/d7f55b380d8be8b29bd101ce06e421af2e88c12b",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "src/lightdb_state.c",
            "function": "on_payload"
        },
        "signature_type": "Function"
    }
]